Solving Cloud Run Custom Domain Error: “Caller is not authorized to administer the domain”

Introduction

When setting up a custom domain for Cloud Run using Terraform or the gcloud command, you may encounter the following error:

Error: Error waiting to create DomainMapping: resource is in failed state "Ready:False", 
message: Caller is not authorized to administer the domain example.com. 
If you own example.com, you can obtain authorization by verifying ownership of the domain, 
or any of its parent domains, via the Webmaster Central portal: 
https://www.google.com/webmasters/verification/verification?domain=

This error commonly occurs in CI/CD pipelines or when using Service Accounts for automated deployments, and the solution isn’t always obvious. This article provides a detailed explanation of how to resolve it.

TL;DR

You need to grant domain ownership permissions to your Service Account.

1. Verify your domain in Google Search Console
2. Add your Service Account’s email address as an “Owner”
3. Re-run Terraform/gcloud

Root Cause

This error occurs in the following scenarios:

1. Domain verified with personal account, but executing with Service Account

2. Automated deployment via CI/CD (e.g., GitHub Actions)

# .github/workflows/deploy.yml
- name: Deploy to Cloud Run
  run: terraform apply -auto-approve
  # ↑ Fails because it runs with Service Account

3. Deployment across multiple projects or environments

• Development: Set up with personal account ✅
• Production: Set up with Service Account ❌

Solution

Step 1: Verify Domain Ownership

First, verify domain ownership with your personal Google account.

1. Go to Google Search Console
2. Click “Add property” → Select “Domain”
3. Enter your domain name (e.g., example.com)
4. Add the TXT record to your DNS
5. Complete verification

Step 2: Identify Your Service Account Email

# Check the Service Account used by Terraform
gcloud config get-value account

# List Service Accounts in your project
gcloud iam service-accounts list
# Example output:
# NAME                                    EMAIL
# terraform-sa                            terraform-sa@my-project.iam.gserviceaccount.com
# github-actions                          github-actions@my-project.iam.gserviceaccount.com

Step 3: Add Service Account as Owner

Important: This is the most commonly overlooked step

1. Open Google Search Console
2. Select your verified domain property
3. Click “Settings” in the left menu
4. Click “Users and permissions”
5. Click the “Add user” button
6. Enter your Service Account email address Example: terraform-sa@my-project.iam.gserviceaccount.com
7. Set permission level to “Owner” (critical!)
8. Click “Add”

Step 4: Verify and Re-execute

The permission takes effect immediately after being added.

# For Terraform
terraform plan
terraform apply

# For gcloud
gcloud run domain-mappings create \
  --service=my-service \
  --domain=example.com \
  --region=asia-northeast1

Terraform Configuration Example

resource "google_cloud_run_domain_mapping" "default" {
  location = var.region
  name     = var.custom_domain
  metadata {
    namespace = var.project_id
  }
  spec {
    route_name = google_cloud_run_service.default.name
  }
  
  # Handle dependencies
  depends_on = [
    google_cloud_run_service.default
  ]
}

Troubleshooting

1. Error persists after adding permissions

# Verify the correct Service Account is being used
gcloud auth list

# Execute with the current account
gcloud run domain-mappings create \
  --service=my-service \
  --domain=example.com \
  --region=asia-northeast1 \
  --impersonate-service-account=SERVICE_ACCOUNT_EMAIL

2. Using subdomains

Verifying the parent domain covers all subdomains:

• Verify example.com → Can use subdomain.example.com
• Verify example.com → Can use api.example.com

You can also verify subdomains individually if needed.

3. Using the same domain across multiple projects

You need to add each project’s Service Account as an owner in Search Console.

# Project A Service Account
sa-project-a@project-a.iam.gserviceaccount.com

# Project B Service Account  
sa-project-b@project-b.iam.gserviceaccount.com
# Add both as owners in Search Console

Summary

The “Error waiting to create DomainMapping” error is caused by the Service Account lacking domain ownership permissions.

Key points to remember:

1. Domain verification is per user account — Not automatically shared with other users or Service Accounts
2. Search Console permission grant is required — Separate from IAM permissions
3. “Owner” level permission is necessary — “Full access” is insufficient
4. Verifying the parent domain is more convenient — Applies to all subdomains

References

• Cloud Run — Add verified domain owners to other users or service accounts
• Google Search Console
• Cloud Run Custom Domain Troubleshooting